Alloy hosts a Responsible Disclosures program where our security team accepts reports about covered vulnerabilities. The program is outlined below and you can read more about Alloy’s security practices here.
We encourage everyone that complies with our policies and terms of service to participate in our responsible disclosure program. Please avoid automated testing and only perform security testing with your own data. Please do not disclose any information regarding the vulnerabilities until we fix them.
You can report vulnerabilities by contacting security@alloy.com. Please include a proof of concept.
Coverage
Exclusions
Accepted vulnerabilities are the following
- Cross-Site Scripting (XSS)
- Open redirect
- Cross-site Request Forgery (CSRF)
- Command/File/URL inclusion
- Authentication issues
- Code execution
- Code or database injections
This program does NOT include
- Logout CSRF
- Account/email enumerations
- Denial of Service (DoS)
- Attacks that could harm the reliability/integrity of our business
- Spam attacks
- Clickjacking on pages without authentication and/or sensitive state changes
- Mixed content warnings
- Lack of DNSSEC
- Content spoofing / text injection
- Timing attacks
- Social engineering
- Phishing
- Insecure cookies for non-sensitive cookies or 3rd party cookies
- Vulnerabilities requiring exceedingly unlikely user interaction
- Exploits that require physical access to a user's machine
Comments
0 comments
Article is closed for comments.